Comment by toast0
5 hours ago
> The key advantage of pf over iptables for this kind of use case is that rule evaluation is deterministic and the syntax stays readable enough to audit six months later without documentation archaeology.
Is iptables not deterministic? Don't the packets look at each rule in numerical order until something matches? If you have two rules with the same number, shame on you.
Re archaeology, OpenBSD changed the rules syntax for some reason and the other platforms with pf kept the existing syntax, so that's always a fun game to play.
I think the issue is if you are dynamically updating the rules then you might have an intermediate state where some packages are processed according to some set of rules which is neither the set of rules at the start nor at the end. Wheras with anchors you can flip between different sets of rules atomically. (though I suspect you can do the same with iptables but it'll called something different)